Validate a CycloneDX SBOM: bomFormat, supported specVersion (1.4–1.6), every component has name+version+purl, and top-level dependencies present. Satisfies the EU CRA Annex I Part II(1) machine-readable SBOM requirement. Zero network. Feeds the SLSA provenance verifier (art-136).
CycloneDX 1.4–1.6EU CRA Annex ISBOMFull applicability Dec 2027W3C VC §13.11Zero PIIClient-side only
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
Scope
Root stage of the sbom-provenance-attestation chain (art-135→136→137). Validates CycloneDX SBOM structure per the EU CRA Annex I minimum: machine-readable format, version 1.4/1.5/1.6, all components carry a purl, and top-level dependencies are declared. Flags components missing a purl. Verdict feeds the SLSA provenance verifier (art-136). CRA full applicability 11 Dec 2027, penalty up to €15M or 2.5% of global turnover.